diff options
| author | Daniil Baturin <daniil@vyos.io> | 2023-12-05 19:55:57 +0000 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-12-05 19:55:57 +0000 |
| commit | 99c674cdf6147a69fd57b4151886ff42917caeec (patch) | |
| tree | 143e2d3ccbd75fd44bbee2133639f905cfcca961 /python | |
| parent | 24b9ceb04049694a13d1fe23c76e267e335b948e (diff) | |
| parent | 24a1a70596fafdd35d88506159e6cb9cd94e7a66 (diff) | |
| download | vyos-1x-99c674cdf6147a69fd57b4151886ff42917caeec.tar.gz vyos-1x-99c674cdf6147a69fd57b4151886ff42917caeec.zip | |
Merge pull request #2574 from nicolas-fort/T5779
T5779: conntrack: Apply fixes to <set system conntrack timeout custom>
Diffstat (limited to 'python')
| -rw-r--r-- | python/vyos/template.py | 29 |
1 files changed, 23 insertions, 6 deletions
diff --git a/python/vyos/template.py b/python/vyos/template.py index 1e683b605..0e2663258 100644 --- a/python/vyos/template.py +++ b/python/vyos/template.py @@ -664,8 +664,8 @@ def nat_static_rule(rule_conf, rule_id, nat_type): from vyos.nat import parse_nat_static_rule return parse_nat_static_rule(rule_conf, rule_id, nat_type) -@register_filter('conntrack_ignore_rule') -def conntrack_ignore_rule(rule_conf, rule_id, ipv6=False): +@register_filter('conntrack_rule') +def conntrack_rule(rule_conf, rule_id, action, ipv6=False): ip_prefix = 'ip6' if ipv6 else 'ip' def_suffix = '6' if ipv6 else '' output = [] @@ -676,11 +676,15 @@ def conntrack_ignore_rule(rule_conf, rule_id, ipv6=False): output.append(f'iifname {ifname}') if 'protocol' in rule_conf: - proto = rule_conf['protocol'] + if action != 'timeout': + proto = rule_conf['protocol'] + else: + for protocol, protocol_config in rule_conf['protocol'].items(): + proto = protocol output.append(f'meta l4proto {proto}') tcp_flags = dict_search_args(rule_conf, 'tcp', 'flags') - if tcp_flags: + if tcp_flags and action != 'timeout': from vyos.firewall import parse_tcp_flags output.append(parse_tcp_flags(tcp_flags)) @@ -743,11 +747,24 @@ def conntrack_ignore_rule(rule_conf, rule_id, ipv6=False): output.append(f'{proto} {prefix}port {operator} @P_{group_name}') - output.append('counter notrack') - output.append(f'comment "ignore-{rule_id}"') + if action == 'ignore': + output.append('counter notrack') + output.append(f'comment "ignore-{rule_id}"') + else: + output.append(f'counter ct timeout set ct-timeout-{rule_id}') + output.append(f'comment "timeout-{rule_id}"') return " ".join(output) +@register_filter('conntrack_ct_policy') +def conntrack_ct_policy(protocol_conf): + output = [] + for item in protocol_conf: + item_value = protocol_conf[item] + output.append(f'{item}: {item_value}') + + return ", ".join(output) + @register_filter('range_to_regex') def range_to_regex(num_range): """Convert range of numbers or list of ranges |